This selection is intended to include all important
and all user-visible changes.
For a complete record of all changes, please see the "source-changes"
mailing list, called "OpenBSD CVS"
in the archives,
or use CVS.
For changes in other releases, click below:
2.0,
2.1,
2.2,
2.3,
2.4,
2.5,
2.6,
2.7,
2.8,
2.9,
3.0,
3.1,
3.2,
3.3,
3.4,
3.5,
3.6,
3.7,
3.8,
3.9,
4.0,
4.1,
4.2,
4.3,
4.4,
4.5,
4.6,
4.7,
4.8,
4.9,
5.0,
5.1,
5.2,
5.3,
5.4,
5.5,
5.6,
5.7,
5.8,
5.9,
6.0,
6.1,
6.2,
6.3,
6.4,
6.5,
6.6,
6.7,
6.8,
7.0,
7.1,
7.2,
7.3,
7.4,
current.
Changes made between OpenBSD 6.8 and 6.9
- Provided U-Boot binaries that work on Raspberry Pi 3 and 4 and firmware for Raspberry Pi 4, allowing use of the same installation method as for 3 without separate UEFI firmware.
- Released LibreSSL 3.3.2.
- Implemented a control message to get the state of iscsid(8) and slowed iscsictl(8) loading to prevent mount errors during startup.
- Returned to 6.8 behavior of sending two direct ACKs upon receipt of a data segment.
- Ensured WEP and plaintext interface link state update by iwi(4)
- Switched athn(4) 802.11n Tx rate adaptation from MiRA to RA.
- Fixed a problem where athn(4) devices would use a different channel than the one selected by net80211.
- Implemented version 2 of virtio(4) at fdt, as used by Parallels on the Apple M1, allowing use of OpenBSD as VM.
- Fixed incorrect parsing of bgpd(8) config files due to endianess.
- Switched back to the legacy X.509 verifier for release.
- Fixed bgpctl(8) show mrt for UPDATE messages.
- Fixed tcpdump(8) parsing of wg(4) packets on powerpc64.
- Made iwx(4) attach to AX201 devices with PCI ID 0x06f0.
- Ignored expandtab setting when in vi(1) command mode.
- Prevented inappropriate privilege elevations with X server XInput input validation failure.
- Created install*.img files for arm64, sparc64 and octeon.
- Allowed mixing of TLS and non-TLS configuration parameters within httpd(8).
- Allowed specification of TLS ciphers and protocols within smtpd.conf(5).
- Fixed dhcpleased(8) handling of invalid T1 or T2 responses.
- Fixed an iked(8) bug where host routes were deleted upon IKE SA rekey.
- Stopped requesting unused "classless-static-routes" dhcp-options(5), which resulted in dhcpleased(8) failing to install a default route.
- Introduced graphaudio(4), a driver to support linking together audio components based on the audio graph description.
- Added support to rkclock(4) for the fractional dividers for the i2s clocks, fixing audio on the Pinebook Pro.
- Made apm(8) report apmd(8) failures.
- Updated nsd(8) to 4.3.6.
- Fixed an rpki-client(8) hang after hash check failure.
- Ensured printing of all mount(2) flags in ddb(4) "show all mounts".
- Added a flag to prevent attachment of certain video devices not currently supported by uvideo(4), such as the Chicony Integrated IR Camera.
- Improved vmm(4) exit handling for AMD SVM and Intel VMX, fixing a potential boot loop on AMD hosts.
- Added vmd(8) support for booting from compressed kernel images.
- Added support to ugold(4) for
TEMPerGold and additional TEMPerHUM devices.
- Excluded the first page and added a guard page between I/O virtual address space allocations on arm64.
- Included the default cert.pem file path in tls_load_file error messages in rpki-client(8).
- Implemented ZONEMD (RFC 8976) in dig(1) to convey a message digest of the content of a DNS zone.
- Updated nsd(8) to 4.3.6rc1.
- Changed tmux(1) search-again with vi keys to work like vi(1).
- Added RRDP (The RPKI Repository Delta Protocol, RFC 8182) support to rpki-client(8).
- Added the rsync(1) option --no-motd to suppress the information output by the client at the start of a daemon transfer.
- Allowed smtpd.conf(5) specification of tls protocols and ciphers on relay actions.
- Propagated host-side tap(4) lladdr to guest vm process to allow unicast dhcp and bootp renewals with vmd(8)'s built-in dhcp server.
- Cleaned up events on vmd(8) pause or resume and fixed an issue leading to broken serial console by cleanly tearing down and restoring emulated device state on vm send/receive.
- Ignored WSMOUSEIO_GTYPE ioctl failure when checking /dev/wsmouse to ensure a driver is loaded to listen if a USB mouse is later plugged in.
- Added vid/pid table to umb(4) allowing matching to alternate configurations.
- Ensured WEP and plaintext interface link state update by ipw(4).
- Finished conversion of dhclient(8) timers to allow monotonic accounting for the active lease.
- Added ARMv8-5 instruction set related CPU features to arm64.
- Updated to xf86-video-r128 6.12.0.
- Inverted the mg(1) "R" indicator to mean that a "*" next to a file's name indicates that it is read-only. Made the active buffer indicator more visible by changing it to ">".
- Permitted kern.somaxconn when the unix pledge(2) is used, allowing Go programs to use "unix" without also including "inet".
- Provided apm(4/arm64) with battery information.
- Prevented an amd64 kernel crash with protection fault due to an invalid offset when reading /dev/kmem.
- Made wscons(4) touchpad tap detection less restrictive for multi-finger taps and improved tap detection.
- Defined a USB quirk for ums(4) and umt(4) devices needing to keep their pipes open at all times.
- Fixed an iked(8) interop problem with strongswan if make-before-break is enabled.
- Made vmctl(8) properly indicate VMs are stopped instead of "running" with "vmctl status".
- Updated device-tree bindings for cwfg(4) to correct attaching and account for monitoring interval change, making cwfg(4) export values under hw.sensors as expected when using a Pinebook Pro.
- Fixed a race between tx/rx handshakes in wg(4).
- Added mg(1) quoted strings capability in list values and limitation to characters allowed in symbol names.
- Made it possible to disable the "autoconf" flag but keep "temporary" enabled in ifconfig(8).
- Added btrace(8) -n (no action) mode, which parses the program and then exits.
- Added a "batch" mode to mg(1) via the "-b" command line option which will initialize a pty, run the specified file of mg commands and then exit.
- Added rpki-client(8) -V option to show version.
- Removed vmd(8) booting from kernels in raw/qcow2 images.
- Unlocked sendsyslog(2).
- Made ifconfig(8) "-mplslabel" work with mpw(4).
- Enabled DTLSv1.2.
- Made iwx(4) attach to AX201 devices with PCI ID 0x34f0. Needs fw_update(1).
- Fixed a problem where iwn(4) firmware would generate bogus block ack requests and stall traffic.
- Used the correct rdomain when adding and deleting routes with mpip(4) and mpw(4).
- Released LibreSSL 3.2.5.
- Fixed efiboot on some machines from CD-ROM due to unaligned pointers.
- Added client-detached notification in tmux(1) control mode.
- Stopped deleting control socket upon apmd(8) exit, preventing accounting of unveil(2) violations when stopping normally.
- Skipped xenodm(1) IPv6 link local addresses for TCP listener authorizations, matching what is done by startx(1).
- Added wsfb(4) support for 30-bit color.
- Stopped xenodm(1) from adding authorizations for TCP connections by default and added "listenTCP" to explicitly add authorizations for existing IP addresses on startup.
- Made ftp(1) set timestamps only on files.
- Removed the 30s minimum delay for xlock(1) timeouts.
- Updated unbound(8) to 1.13.1.
- Prevented a WPA failure in ipw(4) due to a state mismatch between firmware and net80211 during the association sequence.
- Added a deprecation warning for autoconfprivacy to ifconfig(8).
- Implemented RA in iwm(4) and iwn(4).
- Introduced RA, a new 11nm Tx rate adaptation module for net80211. Unlike MiRa, RA does not attempt to precisely measure actual throughput but simply deducts a loss percentage from the theoretical throughput which can be achieved by a given MCS.
- Updated Spleen kernel fonts to version 1.9.0.
- Emulated "[inet] autoconf" hostname.if(5) lines with "dhcp" so users testing dhcpleased(8) will still be able to upgrade manually while the installer uses only dhclient(8).
- Changed ifconfig(8) to adjust terminology to reflect "temporary address extensions" rather than the former "privacy extensions," including the addition of an AUTOCONF6TEMP flag (to replace the negative flag "INET6_NOPRIVACY").
- Used unveil(2) for apmd(8).
- Forced the interface up when AUTOCONF4 or AUTOCONF flags are enabled.
- Added SMP support to arm64.
- Added a tmux(1) "absolute-centre" alignment to use the center of the total space instead of the available space.
- Added tmux(1) split-window -Z to start the pane zoomed.
- Fixed ksh(1) redrawing of a multiline PS1 prompt in vi mode and added support for ^R (redraw) in insert mode.
- Requested client certificate only when required in smtpd(8).
- Increased the maximum length for CHAP challenges to 96 octets to ensure npppd(8) can handle longer challenges, such as those sent by Juniper.
- Prevented a potential hang when trying to remove a tun(4) interface.
- Recognized Apple Firestorm cores on arm64.
- Added support for 30-bit color modes to simplefb(4).
- Prevented disklabel(8) from adjusting the swap 'b' partition size if physmem is zero to keep the auto-allocate code from putting a filesystem on that partition.
- Enabled ixl(4) on arm64.
- Added support for sdhc(4) on the Raspberry Pi in ACPI mode.
- Added support for rk809 to rkpmic(4), as seen on the Rock Pi N10 with the rk3399pro.
- Removed workaround permitting Go executables to do syscalls directly, forcing them to use shared libc like all other dynamic binaries.
- Completed slaacd(8) implementation of RFC 8981 temporary address extensions.
- Introduced an IOVA allocator to smmu(4).
- Added an initial attempt to support 8-bit ASIDs such as those on Apple's M1 SoC.
- Updated clock interrupt count atomically on mips64.
- Fixed a problem which prevented use of sysupgrade(8) when an interface failed to come up and dhclient(8) didn't notice link-timeout expiration.
- Released OpenSSH 8.5.
- Added a configurable button mapping for tap gestures on touchpads to wsconsctl(8).
- Fixed visibility of sndioctl(1) output when used through a pipe.
- Separated reading of general and touchpad-specific wsmouse(4) settings and corrected identification of device type when reading touchpad parameters fails.
- Added the ability to define single value variables in the mg(1) startup file and use them with find-file.
- Removed tmux(1) support for popups where the content is provided directly to tmux.
- Introduced bgpd(8)
rde evaluate all
to work around path hiding in IXP route-server environments.
- Allowed mixing of alternative devices (-F) with different capabilities in sndiod(8) by treating any device as full-duplex.
- Updated perl(1) to 5.32.1.
- Added support for PCIe on the NanoPi R4S to rkpcie(4).
- Added smmu(4), a driver for the ARM System MMU.
- Added acpiiort(4), a driver for the ACPI I/O Remapping Table.
- Added apldart(4), a driver for the IOMMU on Apple M1 SoCs.
- Added logger(1) support to rcctl(8), rc.subr(8) and rc.d(8) for daemons logging to stdout/stderr.
- Increased RX buffers available to the bwfm(4) chip to 256, allowing use of the Apple M1's wifi.
- Introduced dhcpleased(8), a dhcp daemon to acquire IPv4 address leases from servers.
- Added aplpcie(4), a driver for the PCIe host bridge on Apple M1 SoCs.
- Added support for version 7 of the bwfm(4) PCIe interface.
- Prevented nvme(4) attachment to devices with size zero.
- Added resolvd(8), a daemon to rewrite resolv.conf(5).
- Cleared interrupts on luna88k processors more efficiently at boot time.
- Allowed specification of a path to the mg(1) startup file on the command line.
- Added support for adding and deleting mac addr entries on nvgre(4).
- Added support for adding and deleting address table entries to bpe(4), veb(4) and etherbridge.
- Added aplintc(4), a driver for the interrupt controller found on Apple M1 SoCs.
- Introduced veb(4), a Virtual Ethernet Bridge driver.
- Added apldog(4), a driver for the watchdog on Apple M1 SoCs, allowing reboot of the machine.
- When cutting off the head of an overlapping fragment during pf(4) reassembly, reinserted the fragment into the lookup table with the correct index.
- Added cryptox(4), a driver for armv8 cryptographic extensions.
- Added ping(8) -g option to provide a visual display of packets received and lost.
- Made the libunwind cache thread-safe.
- Fixed disestablishing of PCI interrupt handlers on octeon.
- Added etherbridge, the internals of a reusable learning bridge interface providing common code reusable for other drivers needing a mac learning bridge.
- Added a MONITOR flag to ifaces to indicate they are used only for watching packets which will not be enter the network stack for processing.
- Appended .html suffixes to temporary files in mandoc(1) to allow recognition by browsers.
- Added exuart(4) support for the UART found on the Apple M1 SoC.
- Enabled multiple opens of a video(4) device as described in the V4L2 specification.
- Added bgpctl(8) "show rtr" to display basic information about RTR sessions.
- Added RTR support to OpenBGPD.
- Added PermitRemoteOpen to ssh(1) for remote dynamic forwarding with SOCKS.
- Added support for X11 color names and other variations for OSC 10/11 and added OSC 110 and 111 to tmux(1).
- Restored rdsetroot(8) -x usage on stripped bsd.rd.
- Updated to xterm(1) 366.
- Added iked(8) dynamic address configuration for roadwarrior clients, with a new "iface" config option which can be used to specify an interface for the virtual addresses received from the peer.
- Synced cert.pem with Mozilla NSS root CAs (except "GeoTrust Global CA").
- Created /dev/ drm nodes with the same names as linux to simplify libdrm and negate the need for certain ports patches.
- Prevented the kernel from being stuck in an endless recursion during TCP path MTU discovery when pf(4) changes the routing table when sending packets.
- Moved UNIX domain sockets out of the kernel lock, using the new "unp_lock" rwlock(9) as solock()'s backend to protect the whole layer.
- Enabled build and install of lldb(1).
- Added an optional "group none" transform for child SAs in iked(8) to ensure the ability to negotiate optional PFS.
- Added a barrier between reading the cqe flags and the command ID to prevent completion of the wrong scsi io for nvme(4) drives.
- Removed the maxburst feature from tcp_output.
- Corrected raidlevel verification specified by the -c option in bioctl(8).
- Added a RAID1C (raid1 + crypto) softraid(4) discipline, encrypting data like the CRYPTO discipline and accepting multiple chunks during creation and assembly like the RAID1 discipline.
- Moved to 6.9-beta.
- Added the new tmux(1) -S flag to new-window to select the existing window if one with the given name already exists, rather than failing.
- Disabled sndiod(8) autovolume by default and set the default volume to 127. Setting "-w on" will replicate the previous behavior of automatically decreasing playback volume when new programs start playing.
- Upgraded to OpenSSL 1.1 compatible crypto API in iked(8).
- Implemented the nc(1) -D socket debug option in tcpbench(1), allowing analysis of TCP connections.
- Introduced uhidpp(4), a driver for Logitech HID++ devices.
- Added support for the Netgear ProSecure UTM25 to octeon.
- Turned off the direct ACK on every other data segment, saving processing time and improving network performance.
- Changed pf_route so pf(4) only runs when packets enter and leave the stack.
- Properly implemented "rde med compare strict" in bgpd(8) and ensured that the order of prefixes is always correct.
- Introduced ftp(1) support for sending the If-Modified-Since header while fetching over http or https. Switched to using the timestamps from the remote server's Last-Modified header if available when saving local files and introduced the ftp "-u" flag to disable this behavior.
- Fixed a crash that could occur in sndiod(8) when a usb device is unplugged.
- Fixed path MTU discovery for ESP tunneled in IPv6.
- Changed route-to in pf.conf(5) to send packets to IPs instead of interfaces.
- Added basic support for BCM4379, found on the Apple M1 SoCs, to bwfm(4).
- Completed code cleanup to avoid linker issues by satisfying -fno-common on all architectures.
- Made editing GPT in fdisk(8) safer by defaulting offset to the beginning of the largest free space and preventing the creation of overlapping partitions.
- Stopped relying on USB devices to correctly present their indices, instead searching for the correct interfaces. This fixes E+ Corp. DAC Audio devices.
- Applied unveil(2) to ldapd(8).
- Fixed termination assert in kqueue(2) to avoid a panic.
- Added support for RSA-PSS PKCS1 signatures to iked(8).
- Recognized Apple Icestorm cores on arm64.
- Ensured AI_ADDRCONFIG takes routing domain into account when checking for available address families.
- Renamed the HostbasedKeyTypes keyword in ssh_config(5) and the HostbasedAcceptedKeyTypes keyword in sshd_config(5) to HostbasedAcceptedAlgorithms.
- Disabled logging to syslog(3) for libunbound with unwind(8). Does not prevent logging to stderr with "unwind -d".
- Fixed a data toggle out of sync problem for ugen(4) and uhidev(4) devices on xhci(4) controllers. (Reverted 2021-02-15).
- Raised the mcx(4) max number of queues/interrupts from 1 to 16.
- Introduced the bgpd.conf(5) per neighbor and global config option "reject as-set yes/no" to allow rejection of received UPDATES with AS_SET segments. These rejected prefixes can be viewed with bgpctl(8) "show rib in error".
- Fixed wg(4) ioctl to handle multiple wgpeers.
- Fixed filtering on kstat(1) unit numbers.
- Used stoeplitz to provide a flowid for tcp packets when enabled.
- Updated the default system.fvwmrc for fvwm(1).
- Implemented DNS64 synthesis in unwind(8).
- Prevented memory corruption or improper page access in vmm(4) due to improper TLB flushing for now by wiring the pages used by virtual machines.
- Added support for ipmi(4) on PowerNV systems.
- Set up ims(4) devices in X11 to behave like touchpads.
- Introduced ujoy(4), a restricted subset of uhid(4) for game controllers which uses /dev/ujoy/* device nodes.
- Fixed a memory leak in httpd(8).
- Removed the snmpd(8) traphandler process.
- Renamed the PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms in ssh_config(5) and sshd_config(5).
- Added support for INVALID_KE_PAYLOAD in iked(8) CREATE_CHILD_SA exchange.
- Printed rewritten addresses in tcpdump(8) logged with pflog(4) for rdr-to, nat-to and af-to rules.
- Disabled com(4) on sparc64 for m3000s. Console i/o should fall back to ofw routines.
- Implemented intx support in mvkpcie(4).
- Enabled athn(4) for arm64.
- Introduced locking for amaps and anons, improving build performance.
- Fixed the httpd(8) example configuration not to generate errors when running without TLS keys already in place.
- Unlocked getppid(2).
- Introduced new function if_unit(9), returning a pointer to the interface descriptor corresponding to the unique name.
- Added a tmux(1) -N flag to never start the server even if the command would normally do so.
- Dumped the max payload size and max read request size in the pcie cap in pcidump(8).
- Prevented a panic in some acpi firmware that provided invalid memory regions in their reserved memory region reporting table.
- Pledged the doas(1) "-C" code path.
- Implemented unwind(8) listening on TCP.
- Allowed use of ospfd(8) on interfaces that share the same IP.
- Used an 8th order FIR low-pass filter for resampling in sndiod(8) and for aucat(1), removing most of the aliasing noise during resampling.
- Created a path MTU host route for IPsec(4) over IPv6.
- Updated to xterm(1) 363.
- Disabled base-gcc on loongson and octeon.
- Added PerSourceMaxStartups and PerSourceNetBlockSize options to sshd(8).
- Enabled powerpc support for floating-point exceptions.
- Added support for SSL_get_shared_ciphers(3) in TLSv1.3 and fixed to correctly return ciphers shared by the client and the server.
- Fixed -s option for cmp(1).
- Added "strip" directive to relayd.conf(5).
- Fixed a boot-time crash on sparc64 due to mutex use during the message buffer initialization.
- Made CheckHostIP default to "no" in ssh_config(5).
- Added a "xenodm" login class for xenodm(1) and increased openfiles to 512 to avoid running out of file descriptors with a busy desktop.
- Ensured sleep(3) calls nanosleep(2) if seconds is zero, now delegating all decisions about whether or not to yield the CPU.
- Allowed a process to open a video(4) device multiple times. Fixes webcam usage with Firefox and BigBlueButton.
- Fixed problems which could arise with software such as bacula and icinga when a root certificate was specified as both a trusted and an untrusted certificate.
- Began distributing the gzip'd version of bsd.rd on all platforms with boot methods supporting it.
- Fixed a use after free in carp(4).
- Updated to libc++ and libc++abi 10.0.1.
- Added requests for a new certificate without requiring -F when acme-client(1) detects an added or removed SAN in the config file not reflected in the existing certificate on disk.
- Updated to compiler-rt 11.0.0.
- Used native display resolution 1368x768 for Lynloong all-in-one computers.
- Made loongson kernels recognize Lynloong LM9002/9003 and LM9013.
- Changed the pool(9) timeouts to use the system uptime instead of ticks.
- Handled permanent redirects (RFC 7538) in ftp(1) fetch.
- Added kstat(1) to ogx(4).
- Updated to xkbcomp(1) 1.4.4.
- Updated to xinit(1) 1.4.1.
- Updated to xprop(1) 1.2.5.
- Updated to xev(1) 1.2.4.
- Updated to fonttosfnt(1) 1.2.1.
- Added a -C flag to tmux(1) run-shell to use a tmux command rather than a shell command.
- Corrected amltemp(4) attachment to allow thermal management despite temperature sensor reading failure on Amlogic SoCs.
- Added trace points for malloc(9) and free(9), making them traceabe via dt(4) and btrace(8).
- Enabled IPv4 and TCP/UDP checksum offload on transmission in ogx(4).
- Renamed smtpd(8) pony process to dispatcher and klondike to crypto.
- Set klist lock for pipes.
- Added singly-linked tail queue macros from FreeBSD.
- Added bgpctl(8) "show sets" to display information about the roa-set, as-sets and prefix-sets loaded into bgpd(8).
- Introduced power-saving mode on POWER9 (ISA v3).
- Updated to libexpat 2.2.10.
- Added support for kern.video.record to sysctl(8).
- Introduced kern.video.record for video(4) devices, an analog to the kern.audio.record sysctl(8) parameter for audio(4) devices. By default, kern.video.record will be set to zero and blank all data delivered by drivers attaching to video(4).
- Used per-CPU counter for fault and stats counters reached in uvm_fault().
- Added support to dwpcie(4) for the PCIe controller found on Amlogic G12A/G12B/SM1 SoCs.
- Fixed "any" and "dynamic" keywords for flows in iked(8) and added proper IPv6 support.
- Added PCIe support to amlpciephy(4).
- Fixed a memory leak in ld.so's malloc.
- Added Gemini Lake I2C id to dwiic(4), making the touchpad work on the Teclast F7 Plus laptop.
- Corrected accounting of zero length TDs in xhci(4), preventing free TRBs from running out.
- Fixed hangs on amd64 bsd.rd due to misreported core clock frequency on newer Intel Comet Lake models.
- Added a global "nowake" channel for threads avoiding wakeup(9) to tsleep(9).
- Added Wake on LAN support to rge(4).
- Added a specific headline to netstat(1) for TCP state and IP protocol.
- Prevented a crash due to premature release of resources by the smtpd(8) filter state machine.
- Allowed the provision of dhclient(8) options on "dhcp" lines in hostname.if(5) files.
- Fixed a memory leak in smtpd(8) resolver.
- Introduced a send hold timer in bgpd(8) to detect stalls on the sending side of a TCP connection, acting as a last resort to detect faulty peers.
- Fixed ofw regulators that use "active-low" polarity.
- Added PCIe clocks to amlclock(4).
- Implemented select(2) and pselect(2) on top of kqueue(2). (Reverted 2021-01-08).
- Made clang the default compiler on loongson.
- Added an ssh_config(5) KnownHostsCommand that allows the client to obtain known_hosts data from a command in addition to the usual files.
- Prevented initiation of new additional SAs for each policy upon every ikectl(8) config reload.
- Introduced smtp(1) -a to perform authentication before sending a message.
- Fixed DRI3 support on amdgpu(4) and ati(4).
- Accepted reject and blackhole routes for IPsec PMTU discovery.
- Prevented leaking of ipsec_hosts in iked(8) when building hosts_list.
- Fixed booting on powerpc64 machines with memory banks higher in physical address space, needing a larger TCE table.
- Introduced klistops, introducing a way to associate lock operations with a klist.
- Fixed dig(1) EDNS Client Subnet option (+subnet=).
- Fixed IPv6 link-local address handling for nameservers to talk to and address to bind to in dig(1).
- Added support for the i.MX8MP PCIe clocks, USB clocks and second ethernet.
- Made large read and write transactions work in amliic(4).
- Updated to the December 18, 2020 version of awk(1).
- Added fd close notification for kqueue-based poll(2) and select(2).
- Corrected the first packet of an ipsec(4) SA to have sequence number 1.
- Added "amlogic,meson-g12a-dwmac" to dwge(4).
- Added amlpinctrl(4) support for the "Always On" GPIOs.
- Introduced a delay to work around an issue in bwfm(4) on the BCM43602 that was triggering "unexpected pairwise key update" errors.
- Made pfctl(8) detect and reject bogus ranges before loading the ruleset to prevent a panic.
- Made tmux(1) synchronize-panes a pane option and added set-option -U flag to unset an option on all panes.
- Updated to xcb-proto 1.14.1.
- Updated to Xserver(1) 1.20.10.
- Prevented a race in dhclient(8) privsep which could cause autoinstall to fail by calling ftp(1) without a local address.
- Correctly enumerated files with more than INT_MAX lines with the cat(1) -n flag.
- Updated to unbound(8) 1.13.0.
- Updated to nsd(8) 4.3.4.
- Fixed TCP going over an interface with fq codel enabled.
- Avoided spurious "input packet decapsulations failed" errors in netstat(1) -W with A-MSDU enabled.
- Allowed booting of amd64/i386 from 4TB GPT formatted disks.
- Flushed the reorder buffer after gap timeout to prevent frames from remaining in the buffer until the next frame is received.
- Validated ghostbuster records (RFC 6493) in rpki-client(8).
- Fixed 802.11 RSN capabilities announced to peers.
- Fixed a potential NULL pointer dereference due to malformed ASN.1 in a certificate revocation list or a timestamp response token.
- Fixed the calculation of "maxlen" in iwm(4) and iwx(4) when there are multiple MPDUs in one packet.
- Limited the URL embedded in .cer files in rpki-client(8) to alphanumeric characters and punctuation.
- Added dwgpio(4), a driver for the Synopsys DesignWare GPIO controller.
- Added iked(8) support for RSASSA-PSS signature verification (RFC 7427).
- Fixed a race condition in wsmux(4).
- Allowed exporting prefixes from multiple sessions in bgpd(8) into the same pf(4) table, preventing a prefix from being removed from the table on the first withdrawal even if an alternative exists.
- Prevented a TOCTOU race in single_thread_set() by extending the scope of the lock.
- Enabled auto-negotiation on the SerDes links, allowing in-band-status to work between mvpp(4) and mvsw(4) on the ClearFog GT 8K.
- Allowed rad(8) to handle all rdomains in a single daemon.
- Made uvm_pagealloc() mp-safe.
- Ensured rekeying of every child SA in iked(8).
- Fixed ldapd(8) cert and key path inference for absolute paths.
- Taught lld to link the macppc kernel.
- Added support for 1000base-x and 2500base-x connections to mvneta(4).
- Added mvsw(4), a driver for Marvel "SOHO" switches.
- Added the iked(8) "set stickyaddress" option, which attempts to assign the same "config address" when an IKESA is negotiated with the DSTID of an existing IKESA.
- Added support for the use of !command to mygate(5), so that netstart has a late opportunity to perform network configuration.
- Updated to libX11 1.7.0.
- Handled an autoconf interface changing its rdomain in slaacd(8).
- Added iked(8) support for multiple address pools.
- Set the specified TOS/DSCP for interactive use prior to TCP connect in ssh(1).
- CLeaned up passing of struct passwd from monitor to preauth privsep process in ssh(1).
- Used a counter instead of random IV for AES-GCM in iked(8), eliminating the risk of random collisions.
- Changed kqueue_scan() to keep track of collected events in the given context.
- Killed rpki-client(8) connection upon openrsync(1) server stall.
- Added a simple --timeout implementation to openrsync(1).
- Fixed very old umass(4) devices where the INQUIRY command succeeds but with a residue equal to the requested bytes.
- Fixed a panic seen with mbuf chains on arm64.
- Fixed incorrect behavior when using dhclient.conf(5) to change the lease renew/rebind/expiry timing.
- Added iked(8) -s socket option to specify a control socket.
- When doing an sftp(1) recursive upload or download of a read-only directory, ensured that the directory was created with write and execute permissions in the interim to allow the transfer.
- Fixed urtwn(4) repeated DEAUTH and loss/restoration of link.
- Allowed specific sndio(7) devices to be used for play-only and rec-only modes.
- Fixed panics on the HoneyComb LX2K with amdgpu(4).
- Prevented accidental truncation of large memory segments on loongson.
- Added ACPI support to imxiic(4).
- Implemented the key material exporter for TLSv1.3.
- Prevented process exit in multithreaded programs from reporting the wrong error code.
- Added multicast support to bwfm(4) to allow IPv6.
- Added acpige(4), a driver for ACPI generic event devices, used on the HoneyComb LX2K to implement power button handling.
- Added pchgpio(4), a driver for the GPIO controllers found on modern Intel PCHs.
- Revised the initialization of the drm(4) Linux emulation layer to call it only when the first drm instance attaches.
- Extended pcamux(4) with ACPI support.
- Added support for the VF610 I2C controller to imxiic(4).
- Made sure not to replace 0.0.0.0 with a dynamic address in iked(8) if it is a network address.
- Added 10G media support to mvpp(4).
- Added SFP+ support to ofw, including support for direct attach cables.
- Added support for the PL2303HXN series chips to uplcom(4).
- Added support for the PCA9547 I2C mux to pcamux(4).
- Added witness(4) check for uninitialized (or zeroed) lock usage.
- Prefixed ssh(1) keyboard interactive prompts with "user@host" for easier identification of connections.
- Displayed any other hostnames/addresses associated with a new hostkey when ssh(1) prompts the user to accept it.
- Implemented auto chain for the TLSv1.3 server.
- Updated to freetype 2.10.4.
- Fixed athn(4) in client mode against APs that use WPA1/TKIP as the group cipher.
- Fixed urtwn(4) against access points using WPA1/TKIP as the group cipher.
- Fixed a panic associated with locks and drm(4) on macppc with Powerbook5,6 and RV350.
- Fixed issues with network stopping after the first down/up cycle in mvpp(4).
- Fixed link state change behavior in 82598 ix(4) chips.
- Increased speed of the dependency check pass for pkg_add(1).
- Allowed use of ## and # in tmux(1) styles and added a "w" format modifier for width.
- Added clock support for i.MX8MP.
- Implemented iked(8) "from dynamic," installing flows where "dynamic" is replaced by the received dynamic IP address.
- Fixed ilogb(3) implementation, preventing a potential infinite loop.
- Changed from rwlock(9) to mutex(9) for linux rwlocks.
- Removed the -L option from dhclient(8).
- Fixed wg(4) on macppc by keeping track of allowed ips pointer correctly.
- Added the ClearFog GT 8K to mvclock(4).
- Enabled iked(8) support for ASN1_DN ipsec identifiers.
- Fixed rare crashes of unwind(8) when DNS answers are larger than the maximum imsg size.
- Fixed rpki-client(8) checks for manifest validity interval.
- Released OpenBGPD-6.8p1.
- Added recognition of Cortex-A78AE, Cortex-X1 and Neoverse V1 arm64 CPUs.
- Corrected an issue where openssl(1) verify might not error on expired certificates.
- Fixed an issue in the TLS 1.3 code that caused stalls in haproxy and other software.
- Changed crypto(3) to call its get_issuer() callback to try and find a suitable certificate in cases where it has failed to find a print certificate from the supplied roots and intermediates.
- Added the 'any' keyword to iked.conf(5) for requests to allow "request address any".
- Enabled brightness keys on powerbooks where the keyboard attaches as ukbd(4).
- Set initial default display brightness on macppc via of_setbrightness() to ensure wscons(4) and ofw are in sync.
- Added 'dynamic' keyword to iked.conf(5) to allow configuration of flows to dynamically assigned addresses.
- Implemented RFC 8914 Extended DNS Errors for dig(1).
- Added tracking of address proposal creation times to be able to establish total lifetime. This information is used to renew pltime/vltime of privacy addresse per RFC 4941.
- Changed slaacd(8) Duplicate Address Detection (DAD) to only generate a new address if we are using Semantically Opaque Interface Identifiers.
- Added a directive to httpd(8) to check if a path is accessible.
- Fixed detection of duplicate locations in httpd(8).
- Added support for passing a bootmac command line argument to RAMDISK on powerpc64.
- Make iked(8) accept ANY dynamic address with 'request addr 0.0.0.0'.
- Fixed the "entry point at 0x10010000" hang reported on amd64 machines by using a 64MB block to load the kernel.
- Changed astfb(4) to allow it to become the console on powerpc64.
- Added support to request IP addresses as IKEv2 initiator to iked(8). If 'request addr 0.0.0.0' is configured, any address will be accepted.
- Added the ability to force the selection of source IP address via route(8).
- Created a new "location (found|notfound)" option for httpd.conf(5) to allow testing for resource path existence.
- Prevented kernel reuse of mbuf memory when generating the ICMP6 response to an IPv6 packet.
- Updated to unbound(8) 1.12.0.
- Added notices to syslog whenever the "%n" format string component of printf(3) is used.
- Stopped allowing configuration of the same neighbor multiple times in bgpd(8).
- Edited syspatch(8) to ensure SHA256.sig has at least three lines.
- Added limited emulation of unaligned access in the powerpc64 kernel.
- Added AMD Vi and Intel VTD IOMMU support. This creates separate domains for each PCI device and can provide protection against invalid memory access.
- Fixed wsconsctl(8) display commands when using drm(4) drivers on macppc.
- Fixed a deadlock between uvn_io() and uvn_flush().
- Added a top-level 'reboot' command to ddb(4).
- Added a -legacy_verify flag to openssl(1) to force use of the old validator.
- Fixed a memory leak when parsing bgpd(8) roa-set lists.
- Added a workaround for PCIO devices that cannot address the full 64-bit PCI address space to powerpc64. Needed for radeondrm(4) and amdgpu(4) since Radeon GPUs only implement 36, 40, or 44 bits of address space.
- Introduced a system-wide mutex that serializes msgbuf operations.
- Fixed brightness setting on MacBooks.
- Updated to fonttosfnt(1) 1.2.0.
- Added retguard macros to powerpc64 locore functions.
- Changed ping(8) to drain the raw socket of packets received before we were fully setup to avoid reporting ICMP responses intended for other instances of ping(8) running in parallel.
- Made sysupgrade(8) specify a version when it uses fw_update(1) to avoid the situation where upgrading a pre-6.8 snapshot to 6.8 release with "-r" would install firmware packages from snapshots.
- Ensured copyout(9), copyinstr(9) and copyoutstr(9) bail out properly if called with a length of 0 on arm64, hppa and mips64.
- Modified daily(8) to stop reporting disk status and networking statistics.
- Released OpenBGPD portable 6.8p0.
- Released rpki-client(8) 6.8p0.
- Added powerpc64 retguard macros for setjmp/longjmp.
- Released LibreSSL 3.2.2.
- Implemented linux interval tree functions for drm(4).
- Added basic support for kclock timeouts to timeout(9).
- Updated to nsd(8) 4.3.3.
- Added RETGUARD implementation for powerpc and powerpc64.
- Stopped exempting file systems from security(8) on the basis of nodev and nosuid options, which may not be used for file systems mounted beneath.
- Supported use of more than one URI in the TAL file for rpki-client(8), sorting with a preference for https.
- Prevented a crash due to httpd(8) listening on port 443 with missing TLS certificates.
- Optimized arm64 copyin(9), copyout(9) and kcopy(9) by doing 16-byte copies if possible.
- Added doas.conf(5) "nolog" option to avoid syslog(3).
- Added Intel 495 Series LP PCH and Ice Lake graphics pci(4) ids.
- Fixed a pledge violation in csh(1) where redirecting input from a file containing ^T would cause csh(1) to perform a tty ioctl operation against a non-tty.
- Fixed a write hang-up on file system in vnd(4).
- Enabled ssh_config(5) UpdateHostkeys by default when the configuration has not overridden UserKnownHostFile.
- Added bsd.mp to powerpc64's installXX.{img,iso}.
- Preferred ed25519 signature algorithm variants over ECDSA in ssh_config(5) and sshd_config(5).
- Introduced "if_cloners_lock" rwlock and used it to serialize if_clone_{create,destroy}(), avoiding multiple race conditions.
- Added astfb(4), a driver for the framebuffer of the Aspeed BMC found on many POWER8 and POWER9 systems.
- Added Intel 400-series chipsets to dwiic(4).
- Relaxed checks in pfctl(8) and pf(4) to accept any valid routing domain, even if it does not yet exist.
- Moved mfokclock(4) from loongson to make it available for other platforms and renamed it to mfokrtc(4).
- Removed osrelease from system.fvwmrc, as the version string matches the kernel of the fvwm(1) build machine, not the user's kernel.
- Moved to 6.8-current.